How to Find XSS and Its Types – Complete Guide

SHADOW120

Cross-Site Scripting (XSS) is one of the most common and dangerous vulnerabilities in web applications. It occurs when a website includes user input in a webpage without proper validation or escaping. Attackers can exploit this to run malicious JavaScript in a user’s browser—stealing cookies, hijacking sessions, redirecting users, or modifying webpage content.

This article explains:

The main types of XSS
How to find XSS vulnerabilities
How to prevent them

Types of XSS

1. Reflected XSS (Non-Persistent XSS)

This occurs when user input is immediately returned in the server’s response.
Example:
A search box reflects your input directly on the search result page without filtering.
Key Features:

Payload travels in the URL or request.
Not stored on the server.
Common in search forms, error messages, and URL parameters.

2. Stored XSS (Persistent XSS)
Stored XSS is more dangerous because the malicious input is saved on the server and delivered to other users later.
Example:
A malicious script added to a comment section that loads for every visitor.
Key Features:

Payload is stored in the database.
Can affect many users.
Common in forums, blogs, profile bios, and social platforms.

3. DOM-Based XSS
DOM-Based XSS occurs entirely on the client side. The payload may never reach the server.
Example:
JavaScript reads a value from the URL and inserts it into the page using innerHTML without sanitizing it.

Key Features:

Vulnerability exists in client-side JavaScript.
Triggered by unsafe DOM manipulation.

How to Find XSS Vulnerabilities

Use these methods only in authorized environments—never on websites you do not have permission to test.

Test All Input Fields
Check every place where users can enter data:
Forms (login, signup, search)
URL parameters
Hidden fields
Comments and reviews
API/JSON input
Try entering special characters like:
< > " ' / &
If these appear unescaped in output, an XSS risk exists.
Check Where Input Appears in Output
Look for reflections in:
HTML body
HTML attributes
JavaScript variables
URLs
DOM elements
Any place that displays untrusted input can cause XSS.
Inspect Client-Side JavaScript
Look for unsafe functions:
innerHTML
document.write
eval()
outerHTML
Direct usage of location.search or location.hash
These often lead to DOM-Based XSS.
Use Security Testing Tools
With permission, you can use tools like:
Burp Suite
OWASP ZAP
Browser Developer Tools
These help spot unescaped output, reflected parameters, and dangerous DOM behavior.
Review Server-Side Code
Check backend code for:
Missing input validation
Missing output encoding
Unsafe template rendering
Use of outdated or unsafe frameworks
How to Prevent XSS
XSS can be prevented with proper coding practices.
1. Output Encoding
  Always escape user input before outputting it into:
  HTML
  JS
  CSS
  URLs
Input Validation & Sanitization
Filter and sanitize all user input on both the client and server.
Use Safe Templating Engines
Frameworks like React, Angular, and Vue automatically escape output.
Apply Content Security Policy (CSP)
A good CSP can reduce the impact of XSS by blocking unauthorized scripts.
Avoid Dangerous JavaScript Functions
Avoid using:
innerHTML (use textContent instead)
eval()
Unsafe DOM manipulation
Conclusion
XSS is a powerful and common vulnerability caused by improperly handled user input. Understanding the three main types—Reflected, Stored, and DOM-Based XSS—helps in identifying and eliminating security weaknesses. With proper validation, escaping, and secure coding practices, XSS can be effectively prevented.